Transparency report

A transparency report is a published document where a service provider discloses the volume and nature of government data demands received during a reporting period. Major providers publish semi-annual or annual reports: Google, Microsoft, Apple, Meta, Cloudflare, Twitter/X (when published), Proton, Mullvad, plus dozens of smaller providers. The format varies but typically discloses: number of requests by jurisdiction, percentage compliance, breakdown by request type (subpoena, warrant, NSL where disclosure is permitted), and account-affected counts.

What it means in practice

Transparency reports surfaced as a category in 2010-13, partly in response to Snowden disclosures and partly through industry adoption of the Google-led format. The structural value: comparative analysis of providers’ cooperation profiles. Google’s reports show tens of thousands of US-government requests annually with high compliance rates; Apple’s reports show similar patterns with iCloud and account data; Mullvad’s reports document zero compliance because the architecture (no logs, no identifying data) means there is nothing to compel. The reports do not capture: classified requests subject to gag orders (NSLs disclosed only as binned counts), sealed proceedings where the provider may not disclose, and (most consequentially) the fact that the absence of a transparency report is itself a data point about the provider’s cooperation posture. Providers who do not publish are operating in a different transparency regime than those who do.

Where it shows up

Useful when evaluating: VPN providers (Mullvad, Proton, IVPN, NordVPN all publish; the absence of meaningful disclosure is structural information), email providers (Proton publishes detailed transparency reports including content of legal-process challenges; Tutanota similar), cloud providers (Google, Microsoft, Apple all publish; the response patterns and refusal counts are operational data), social-media platforms (Meta, Twitter/X when functional, plus the smaller alternatives). The Predaxia operational use: read the transparency report of any provider you are considering for sensitive use; the report tells you what cooperation looks like in practice rather than what the marketing claims it would look like. Mullvad’s reports documenting “police visited our office in 2023, took no data because we have none to give” are the structural example of architecture-determined transparency.

What you can change today

When evaluating a service for sensitive use, read the latest transparency report. Three questions. First, what volume of government requests does the provider receive (high volume is not necessarily bad; Google’s scale generates large absolute numbers without indicating disproportionate cooperation)? Second, what is the cooperation rate (the provider that complies with 99% of requests is operating differently from the one that refuses 50%; both can be legitimate, the operational implications differ)? Third, what is the response to refused or challenged requests (does the provider litigate to protect users, accept the request, or fall silent)? For the highest-target use cases: the absence of a transparency report or a thin formulaic report is itself information; prefer providers whose disclosure is detailed and whose cooperation profile matches your threat model.

Related articles